A recently released video deposition in long-running lawsuit over Google
tracking its users has claimed that even the CEO Sundar Pichai isn't clear
on what's going on below him.

For the past three years, Google has been fighting a lawsuit that claims
the company has a misleading menu that promises privacy but fails to
provide it.

It's all about a setting called Web & App Activity (WAA) and a subsetting
referred to as sWAA that extends purported privacy protection to "include
Chrome history and activity from sites, apps, and devices that use Google
services." The relevant menu button is available via one's Google Accounts
web page.

When turned on, as currently described, the WAA button "saves your
activity on Google sites and apps, including associated info like
location" to personalize searches, recommendations, and other Google
services. But when it's turned off Google still saves people's data, or so
it's alleged in the complaint filed in July 2020, and amended for the
fourth time in January 2023.

"Google had promised that by turning off this feature, users would stop
Google from saving their web and app activity data, including their app-
browsing histories," the fourth amended complaint [PDF] says. "Google�s
promise was false."

Jonathan Hochman, an expert witness for the plaintiffs, provided a
technical analysis of Google data collection, but his report remains under
seal. As is common in such cases, Google has pushed for sensitive
documents obtained during the discovery process to be redacted or sealed.
This has become an issue in the US government's ongoing antitrust trial
against Google, where much of the testimony and many of the documents have
been withheld from the public.

However, a transcript of Hochman's video deposition [PDF] posted to the
court docket sheds more light on claims. "... the WAA/sWAA switch, I have
called it a fake control, because it doesn't do � technically doesn't do
what it seems it should do," he explained.

Hochman in his deposition contends that even Google insiders, including
Alphabet CEO Sundar Pichai, misunderstand the WAA control.

"It looks like even Sundar Pichai is confused about how this control works
because he testified in front of Congress and told them something that is
just wrong from a technical perspective�," he said.

This is spelled out more explicitly in a more recent court filing [PDF]:
"For example, Google CEO Sundar Pichai testified to Congress that, within
'My Account' user can 'clearly see what information is collected, stored.'
That supposedly 'clear toggle' Mr Pichai was referring to could only be
WAA."

That document goes on to state: "Contrary to Mr Pichai's Congressional
testimony, the founder of Google's Privacy and Data Protection Office
testified in this case that he is 'not aware of any setting' that users
can employ to prevent Google from collecting data related to their app
activity."

Much of the issue, allegedly, is that WAA, rather than saving data when on
and not saving it when off, simply saves data in a different place � not
in the Google Account data set. Addressing the confusion about the bounds
of Google Accounts, Hochman said, "So I'm aware that Google may save data
in different locations, depending on where that WAA/sWAA switch is set. It
is still collecting the same data and still saving it, but it may save it
in different places."

Firebase burns through personal firewall
The complaint alleges that Google still collects data from users who
disable the WAA setting "through various backdoors made available through
and in connection with Google�s Firebase Software Development Kit,
including not only Google Analytics for Firebase but also without
limitation AdMob and Cloud Messaging for Firebase."

Firebase, a cloud database, was acquired by Google in 2014, and as of 2021
was said to be incorporated into three million mobile apps. Third-party
app makers can integrate Firebase using the Firebase Software Development
Kit, which adds support for Google Analytics for Firebase, as well as
mobile ad service AdMob and Cloud Messaging for Firebase.

Google, it's claimed, collects data from mobile third-party apps, even
those who disable WAA, using Firebase SDK code, as well as Google Mobile
Ads SDK, AdMob+ SDK, and browser "WebView" technologies.

"All of these products surreptitiously copy and provide Google with app
activity data while WAA is turned off, including personal browsing data,"
the complaint claims.

The complaint cites statements from Google's own employees that suggest
WAA is confusing and poorly understood.

Quoting specific exhibits in the case, the complaint says, "Google�s
employees recognize, internally and without disclosing this publicly, that
WAA is 'not clear to users,' 'nebulous,' 'not well understood,'
'completely broken,' and 'confuses users,' where people 'don�t know what
WAA means' and Google�s promise of control is 'just not true.'"

The complaint cites internal Google communication about the true nature of
the WAA control: "As summarized by a Google employee in an internal email,
'WAA (or any of the other controls) does not actually control what is
stored by Google, but simply what the user has access to. This is really
bad. � I for one didn�t realize Google actually stored all of my activity
even if those controls were off and I work at Google! Seems sort of silly
to turn them off as I�m not any safer with them off than on.'"

An Orwellian landscape
The complaint points out that related allegations have come up in recent
government litigation against Google. It cites documents produced by
Google in a 2020 case brought by Arizona's Attorney General that mention
Web & App Activity by name. Google settled that claim last year for $85
million.

"When users turned off their Location History in settings, Google
continued to surreptitiously collect their location through other settings
such as Web & App Activity and the company used that information to sell
ads," the Arizona AG's office said when it announced the deal.

Google declined to comment but has disputed many of the allegations in its
answer [PDF] to the fourth amended complaint.

The company in its filings has characterized the employee messages cited
as "cherry-picked" communications that mischaracterize the technology or
are taken out of context. Google maintains that the sWAA setting, through
which third-party apps receive data, is so developers can understand app
behavior and isn't saved to Google users' marketing profiles. Essentially,
Google maintains that any data gathering is adequately disclosed and that
app developers implementing Google Analytics are bound by the company's
Terms of Service.

Coincidentally, earlier this year, Google began notifying some users of
its services that they have Web Apps & Activity turned on. The message
insists, "You're in control," and insists no action is required but allows
that the setting can be changed.

Hochman in his assessment of WAA is unsparing.

"The situation I found upon the technical investigation was
counterintuitive, it was not what I expected to find, and it is, frankly,
kind of Orwellian, it is just very strange that you have a privacy switch
that when you flip it, it just means we don't tell you that we're spying
on you," he said.

"It is almost like the party slogan from 1984, you know, ignorance is
strength, that's like what this is. That's what this control is. You flip
the switch, you can remain ignorant of the fact that you're being spied
on."

Yet whether Google has actually violated any laws here has yet to be
decided. Last year, the judge hearing the case dismissed [PDF] claims that
alleged violation of the California Invasion of Privacy Act and breach of
contract. What remain are three claims under California's Comprehensive
Computer Data and Access Fraud Act, invasion of privacy and intrusion upon
seclusion. �

https://www.theregister.com/2023/10/24/google_privacy_button/?td=keepreadi
ng